AIKIDO-2025-10045

johnpbloch/wordpress-core is vulnerable to Cross-site Scripting (XSS)

Cross-site Scripting (XSS) Pre-CVE Published Jan 27, 2025

Medium Risk

This Affects:

johnpbloch/wordpress-core

4.1.0 - 4.1.37

Fixed in 4.1.38

4.2.0 - 4.2.34

Fixed in 4.2.35

4.3.0 - 4.3.30

Fixed in 4.3.31

4.4.0 - 4.4.29

Fixed in 4.4.30

4.5.0 - 4.5.28

Fixed in 4.5.29

4.6.0 - 4.6.25

Fixed in 4.6.26

4.7.0 - 4.7.25

Fixed in 4.7.26

4.8.0 - 4.8.21

Fixed in 4.8.22

4.9.0 - 4.9.22

Fixed in 4.9.23

5.0.0 - 5.0.18

Fixed in 5.0.19

5.1.0 - 5.1.15

Fixed in 5.1.16

5.2.0 - 5.2.17

Fixed in 5.2.18

5.3.0 - 5.3.14

Fixed in 5.3.15

5.4.0 - 5.4.12

Fixed in 5.4.13

5.5.0 - 5.5.11

Fixed in 5.5.12

5.6.0 - 5.6.8

Fixed in 5.6.11

5.7.0 - 5.7.6

Fixed in 5.7.9

5.8.0 - 5.8.5

Fixed in 5.8.7

5.9.0 - 5.9.4

Fixed in 5.9.6

6.0.0 - 6.0.3

Fixed in 6.0.4

6.1.0 - 6.1.1

Fixed in 6.1.2

6.2.0 - 6.2.0

Fixed in 6.2.1

Are you affected? Scan for Free

TL;DR

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to insufficient sanitization of block attributes. An attacker with authenticated access and contributor-level or higher permissions can exploit this by manipulating block attributes to embed arbitrary content within HTML comments on the page. This allows the attacker to inject and execute malicious scripts in the context of the victim's browser, potentially leading to data theft, session hijacking, or other malicious activities.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

johnpbloch/wordpress-core is vulnerable to Cross-site Scripting (XSS) in versions 4.1.0 - 4.1.37, 4.2.0 - 4.2.34, 4.3.0 - 4.3.30, 4.4.0 - 4.4.29, 4.5.0 - 4.5.28, 4.6.0 - 4.6.25, 4.7.0 - 4.7.25, 4.8.0 - 4.8.21, 4.9.0 - 4.9.22, 5.0.0 - 5.0.18, 5.1.0 - 5.1.15, 5.2.0 - 5.2.17, 5.3.0 - 5.3.14, 5.4.0 - 5.4.12, 5.5.0 - 5.5.11, 5.6.0 - 5.6.8, 5.7.0 - 5.7.6, 5.8.0 - 5.8.5, 5.9.0 - 5.9.4, 6.0.0 - 6.0.3, 6.1.0 - 6.1.1 and 6.2.0 - 6.2.0.